critical2026-03-10SAP NetWeaverCVE-2026-27685

Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

SAP NetWeaver Enterprise Portal Administration

Our Take

Insecure deserialization with an RCE outcome on the portal server is serious. Note that this requires privileged access to exploit — it is not an unauthenticated attack. That said, if you have multiple portal admins or shared admin credentials, the blast radius is significant. If you run NetWeaver Enterprise Portal, this is a same-window patch.

Vulnerability Detail

Privileged users can upload malicious serialized objects through the Enterprise Portal Administration interface. When the server deserializes these objects, arbitrary code executes in the context of the portal server process, compromising confidentiality, integrity, and availability of the system.

Workaround

Restrict access to Enterprise Portal Administration to only trusted administrator accounts. Monitor upload activity in portal admin interfaces.

Patch Action

Apply SAP Note 3714585.

Affected Versions

EP-RUNTIME 7.50

Patch Info

Priority

🔴 Patch immediately

CVSS Score

9.1

SAP Note

3714585 ↗

CVE

CVE-2026-27685

Published

2026-03-10

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches